On Mon, Feb 09, 2009 at 10:22:23AM +0100, Frank Louwers wrote:
>>> bert hubert wrote:
> >One small note - EDNS-PING is *not* yet an official standard. It is like
> >buying a '802.11N DRAFT' router!
> >
> >But it is unlikely the technical details (wire format) of EDNS-PING will
> >change, since the specification is so simple.
> >
> >
>> Bert,
>
Well, I'm not Bert, I can answer atleast the second question.
And Bert or someone else can correct me if I'm wrong. ;-)
> the two important questions to ask here are:
>> - will this break any old/broken-but-common dns resolver implementation
> out there?
This is an option as part of EDNS, it is something fairly new, so software
that deals with EDNS is only recent software. Old software that has problems
with EDNS would/could have problems with any EDNS-PING.
>From the wikipedia.org-page:
EDNS is an extension of the DNS protocol which allows DNS messages larger
than 512 bytes over UDP, and expands the number of flags, label types and
return codes available to the protocol. The version of EDNS specified by
RFC 2671 is known as EDNS0.
So it does make DNS-packets larger.
I checked what PowerDNS-recursor does, it adds some 17 bytes in total to a
packet if I remember correctly (I don't have the dumps here with me now).
Of which the largest part is the EDNS-part and the data is 8 bytes long.
> - will this help stop / prevent the recent DDoS dns-based attacks we've
> all seen the past few weeks?
>
Short answer: no
A bit longer answer: but PowerDNS like DJBDNS already has/had checks in
place to make this attack useless.
Long answer: it was an amplification attack, an attempt to let DNS-servers
send larger packets to the victum then the attacker was sending to these
DNS-servers.
There was an old convention where even though an authoritive nameserver
wasn't authoritive for the rootnameservers it would return a list of the
root nameservers if it had one. Because the list of rootnameservers is
a lot larger then the question this can be used as an amplification attack.
PowerDNS and DJB tinydns did not do this because first of all they are
authoritive nameservers and not a recursors (by default) so they don't
really need such a list.
They just send back an answer saying it's not authoritive, that packet
is about just as large as the question, so there is no amplification.
Seperating your recursor from your authoritive nameserver has always
been a good security practice.
> Regards,
>> Frank
Hope this was helpful.
Have a nice day,
Leen.